Re: [tlug] Troubleshooting SELinux enforcement on httpd daemon (solved)

[scott <scott@example.com>]

Hi again TLUG,

Well, hacking around a bit I've found the solution. For those playing
around with SElinux, if you need to make a minor change in your security
policy this is a good place to start:

http://www.linuxtopia.org/online_books/redhat_selinux_guide/selg-
section-0120.html

I've done the following to fix the problem I was having:

1) installed selinux-policy-targeted-sources.noarch
2) installed setools-gui.x86_64

The programs that come with setools apol and seAudit are very useful in
this situation to check the logs IRT whatever is being blocked via your
Selinux policy. You can make minor changes with relative ease using the
following:

[root@example.com policy]# audit2allow -d -l -o domains/misc/local.te

basically this just scans /var/log/messages for the most recent context
denials since the last policy reload, then creates a allow rule (or
rules~) in that local.te file. For example, previously I was getting
this kind of error:

Jan 05 08:53:19 slackisland kernel: avc:  denied  { } for  pid=7084
comm=httpd name="Foo_Bar" dev=dm-4 ino=4884727
scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_t
tclass=lnk_file

after running audit2allow it created this in the local.te file:

allow httpd_t var_t:lnk_file { getattr read };

moving back to the /etc/selinux/targeted/src/policy directory and
running: 

[root@example.com policy]# make load

created a new Selinux policy. After restarting the httpd daemon,
symlinks to non /var/www filesystems is working fine again. 

Maybe this will be useful someone, as there isn't much chatter on TLUG
IRT Selinux. 

Cheers,
Scott VanDusen
Tokyo